summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--conf/CMakeLists.txt1
-rw-r--r--conf/dbus/CMakeLists.txt28
-rw-r--r--conf/dbus/afm-permissions-session.conf31
-rw-r--r--conf/dbus/afm-permissions-system.conf58
-rw-r--r--conf/system/CMakeLists.txt10
-rw-r--r--conf/system/afm-system-setup.sh.in2
-rw-r--r--conf/system/afm-user-setup.sh.in22
-rw-r--r--conf/system/afm-user-setup@.service.in3
l---------conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service1
-rw-r--r--conf/unit/afm-unit26
-rw-r--r--conf/unit/binder.inc4
-rw-r--r--conf/unit/macros.inc29
-rw-r--r--conf/unit/provided-api-platform.inc85
-rw-r--r--conf/unit/provided-api-user.inc (renamed from conf/unit/provided-api.inc)7
-rw-r--r--conf/unit/provided-binding-platform.inc48
-rw-r--r--conf/unit/provided-binding-user.inc (renamed from conf/unit/provided-binding.inc)4
-rw-r--r--conf/unit/service.inc71
-rw-r--r--docs/3-permissions.md8
18 files changed, 389 insertions, 49 deletions
diff --git a/conf/CMakeLists.txt b/conf/CMakeLists.txt
index 47fe4ec..11b2beb 100644
--- a/conf/CMakeLists.txt
+++ b/conf/CMakeLists.txt
@@ -19,4 +19,5 @@
add_subdirectory(unit)
add_subdirectory(system)
add_subdirectory(user)
+add_subdirectory(dbus)
diff --git a/conf/dbus/CMakeLists.txt b/conf/dbus/CMakeLists.txt
new file mode 100644
index 0000000..9946595
--- /dev/null
+++ b/conf/dbus/CMakeLists.txt
@@ -0,0 +1,28 @@
+###########################################################################
+# Copyright (C) 2015-2019 IoT.bzh
+#
+# author: José Bollo <jose.bollo@iot.bzh>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+###########################################################################
+
+cmake_minimum_required(VERSION 2.8)
+
+if(NOT USE_SDK)
+ set(SYSCONFDIR_DBUS_SYSTEM ${CMAKE_INSTALL_SYSCONFDIR}/dbus-1/system.d CACHE STRING "Path to dbus system configuration files")
+ set(SYSCONFDIR_DBUS_SESSION ${CMAKE_INSTALL_SYSCONFDIR}/dbus-1/session.d CACHE STRING "Path to dbus system configuration files")
+
+ install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/afm-permissions-system.conf DESTINATION ${SYSCONFDIR_DBUS_SYSTEM})
+ install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/afm-permissions-session.conf DESTINATION ${SYSCONFDIR_DBUS_SESSION})
+endif()
+
diff --git a/conf/dbus/afm-permissions-session.conf b/conf/dbus/afm-permissions-session.conf
new file mode 100644
index 0000000..5dbfe2d
--- /dev/null
+++ b/conf/dbus/afm-permissions-session.conf
@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<!--
+ This file is part of afm-main
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<busconfig>
+ <policy at_console="false">
+
+ <!-- any -->
+ <check send_destination="*" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="*" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ </policy>
+</busconfig>
+
+
diff --git a/conf/dbus/afm-permissions-system.conf b/conf/dbus/afm-permissions-system.conf
new file mode 100644
index 0000000..30f9a8f
--- /dev/null
+++ b/conf/dbus/afm-permissions-system.conf
@@ -0,0 +1,58 @@
+<?xml version="1.0"?>
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<!--
+ This file is part of afm-main
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<busconfig>
+ <policy at_console="false">
+
+ <!-- any -->
+ <check send_destination="*" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="*" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- org.bluez -->
+ <check send_destination="org.bluez" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="org.bluez" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- fi.w1.wpa_supplicant1 -->
+ <check send_destination="fi.w1.wpa_supplicant1" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="fi.w1.wpa_supplicant1" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- org.ofono -->
+ <check send_destination="org.ofono" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="org.ofono" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- org.freedesktop.GeoClue2 -->
+ <check send_destination="org.freedesktop.GeoClue2" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="org.freedesktop.GeoClue2" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- org.neard -->
+ <check send_destination="org.neard" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="org.neard" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- org.neardal -->
+ <check send_destination="org.neardal" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="org.neardal" privilege="http://tizen.org/privilege/internal/dbus"/>
+
+ <!-- net.connman -->
+ <check send_destination="net.connman" privilege="http://tizen.org/privilege/internal/dbus"/>
+ <check receive_sender="net.connman" privilege="http://tizen.org/privilege/internal/dbus"/>
+ </policy>
+</busconfig>
+
+
diff --git a/conf/system/CMakeLists.txt b/conf/system/CMakeLists.txt
index eba8d42..3cabd0c 100644
--- a/conf/system/CMakeLists.txt
+++ b/conf/system/CMakeLists.txt
@@ -18,6 +18,10 @@
cmake_minimum_required(VERSION 2.8)
+if(AGL_DEVEL)
+ set(create_platform_debug "dodir ${afm_platform_rundir}/debug")
+endif()
+
configure_file(afm-system-daemon.service.in afm-system-daemon.service)
configure_file(afm-system-daemon.socket.in afm-system-daemon.socket)
configure_file(afm-system-setup.service.in afm-system-setup.service)
@@ -47,6 +51,12 @@ if(NOT USE_SDK)
${UNITDIR_SYSTEM}
)
install(
+ DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/user-runtime-dir@.service.wants
+ DESTINATION
+ ${UNITDIR_SYSTEM}
+ )
+ install(
PROGRAMS
${CMAKE_CURRENT_BINARY_DIR}/afm-user-setup.sh
${CMAKE_CURRENT_BINARY_DIR}/afm-system-setup.sh
diff --git a/conf/system/afm-system-setup.sh.in b/conf/system/afm-system-setup.sh.in
index 2af411c..65e75ed 100644
--- a/conf/system/afm-system-setup.sh.in
+++ b/conf/system/afm-system-setup.sh.in
@@ -13,4 +13,4 @@ dodir $pdir
dodir $pdir/display
dodir $pdir/apis
dodir $pdir/apis/ws
-
+@create_platform_debug@
diff --git a/conf/system/afm-user-setup.sh.in b/conf/system/afm-user-setup.sh.in
index 24795ae..076676f 100644
--- a/conf/system/afm-user-setup.sh.in
+++ b/conf/system/afm-user-setup.sh.in
@@ -3,18 +3,28 @@
uid=$1
udir=/run/user/$uid
-dodir() {
+dodir_star() {
if ! test -e $1; then
mkdir -m 700 $1
chown $uid:$uid $1
- chsmack -a '*' $1
fi
+ chsmack -a '*' $1
}
-dodir $udir
-dodir $udir/apis
-dodir $udir/apis/ws
-dodir $udir/apis/link
+dodir_star $udir
+dodir_star $udir/apis
+dodir_star $udir/apis/ws
+dodir_star $udir/apis/link
+
+dodir_usrshr() {
+ if ! test -e $1; then
+ mkdir -m 700 $1
+ chown $uid:$uid $1
+ fi
+ chsmack -a User::App-Shared -t $1
+}
+
+dodir_usrshr $udir/usrshr
doln() {
if ! test -e $2; then
diff --git a/conf/system/afm-user-setup@.service.in b/conf/system/afm-user-setup@.service.in
index 86c0422..c1e4f1e 100644
--- a/conf/system/afm-user-setup@.service.in
+++ b/conf/system/afm-user-setup@.service.in
@@ -1,6 +1,7 @@
[Unit]
Description=Initiate afm-user-setup %i
-After=user@%i.service
+After=user-runtime-dir@%i.service
+Before=user@%i.service
[Service]
Type=oneshot
StartLimitInterval=0
diff --git a/conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service b/conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service
new file mode 120000
index 0000000..07fe155
--- /dev/null
+++ b/conf/system/user-runtime-dir@.service.wants/afm-user-setup@.service
@@ -0,0 +1 @@
+../afm-user-setup@.service \ No newline at end of file
diff --git a/conf/unit/afm-unit b/conf/unit/afm-unit
index 2a91067..342a048 100644
--- a/conf/unit/afm-unit
+++ b/conf/unit/afm-unit
@@ -88,21 +88,39 @@ divert(0)dnl
{{#targets}}
;-------------------------------------------------------------------------------
include(service.inc)
+IF_PERM(:partner:scope-platform)
;-------------------------------------------------------------------------------
-;---- F O R E A C H P R O V I D E D A P I S ----
+;---- F O R E A C H P R O V I D E D A P I S (PLATFORM) ----
;-------------------------------------------------------------------------------
{{#provided-api}}
{{#value=ws|auto}}
-include(provided-api.inc)
+include(provided-api-platform.inc)
{{/value=ws|auto}}
{{/provided-api}}
;-------------------------------------------------------------------------------
-;---- F O R E A C H P R O V I D E D B I N D I N G ----
+;---- F O R E A C H P R O V I D E D B I N D I N G (PLATFORM) ----
;-------------------------------------------------------------------------------
{{#provided-binding}}
-include(provided-binding.inc)
+include(provided-binding-platform.inc)
{{/provided-binding}}
;-------------------------------------------------------------------------------
+ELSE
+;-------------------------------------------------------------------------------
+;---- F O R E A C H P R O V I D E D A P I S (USER) ----
+;-------------------------------------------------------------------------------
+{{#provided-api}}
+{{#value=ws|auto}}
+include(provided-api-user.inc)
+{{/value=ws|auto}}
+{{/provided-api}}
+;-------------------------------------------------------------------------------
+;---- F O R E A C H P R O V I D E D B I N D I N G (USER) ----
+;-------------------------------------------------------------------------------
+{{#provided-binding}}
+include(provided-binding-user.inc)
+{{/provided-binding}}
+;-------------------------------------------------------------------------------
+ENDIF
{{/targets}}
;-------------------------------------------------------------------------------
; End of file afm-unit.conf mode ON_AGL_DEVEL(DEVEL, RELEASE)
diff --git a/conf/unit/binder.inc b/conf/unit/binder.inc
index 30c25d5..58f877f 100644
--- a/conf/unit/binder.inc
+++ b/conf/unit/binder.inc
@@ -12,7 +12,7 @@ Type=notify
ExecStart=/usr/bin/afb-daemon \
--name afbd-TARGET \
--rootdir={{:#metadata.install-dir}} \
- --workdir=APP_DATA_DIR/{{id}} \
+ --workdir=APP_WORK_DIR \
IF_AGL_DEVEL \
--verbose \
--verbose \
@@ -48,4 +48,4 @@ ENDIF \
{{/provided-api}} \
ON_CONTENT(text/html, --exec /usr/bin/web-runtime http://localhost:@p/{{content.src}}?token=@t) \
ON_CONTENT(application/vnd.agl.native, --exec {{:#metadata.install-dir}}/{{content.src}} @p @t)
-
+%nl
diff --git a/conf/unit/macros.inc b/conf/unit/macros.inc
index a764765..ca72b95 100644
--- a/conf/unit/macros.inc
+++ b/conf/unit/macros.inc
@@ -25,6 +25,7 @@ define( `PERM', `@afm_prefix@permission:$1')
define( `REQPERM', `required-permission.PERM($1)')
define( `ON_PERM', `MUSTACH_ON(REQPERM($1),$2,$3)')
+define( `ON_NOT_PERM', `MUSTACH_ON(REQPERM($1),$3,$2)')
define( `IF_PERM', `MUSTACH_IF(REQPERM($1))')
define( `IF_NOT_PERM', `MUSTACH_IF_NOT(REQPERM($1))')
@@ -43,21 +44,36 @@ define( `IF_NOT_VALUE', `MUSTACH_IF_NOT(value=$1)')
-- use TARGET={{:id}}--{{:ver}}--{{:#target}}
-- instead of TARGET={{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}
--------------------------------------------------------------------------------
+define( `SMACKLABEL', `User::App::{{:id}}')
define( `TARGET', `{{idaver}}{{^#target=main}}@{{:#target}}{{/#target=main}}')
define( `NEWTARGET', `{{:id}}--{{:ver}}--{{:#target}}')
+define( `UNITSUFFIX', `ON_NOT_PERM(`:partner:scope-platform', `@%i')')
define( `UNIT_NAME_BASE', `afm-ON_PERM(`:public:hidden', `service', `appli')-NEWTARGET')
-define( `UNIT_NAME_SERVICE', `UNIT_NAME_BASE@%i.service')
define( `UNIT_NAME_API_BASE', `afm-api-$1')
-define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)@$2.service')
-define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)@$2.socket')
+define( `UNIT_NAME_API_SERVICE', `UNIT_NAME_API_BASE($1)UNITSUFFIX.service')
+define( `UNIT_NAME_API_SOCKET', `UNIT_NAME_API_BASE($1)UNITSUFFIX.socket')
define( `UNIT_NAME_BINDING_BASE', `afm-link-$1')
-define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)@$2.service')
-define( `APP_DATA_DIR', `/home/%i/app-data')
+define( `UNIT_NAME_BINDING_SERVICE', `UNIT_NAME_BINDING_BASE($1)UNITSUFFIX.service')
+
define( `USER_RUN_DIR', `@afm_users_rundir@/%i')
define( `DEBUGGING_DIR', `@afm_platform_rundir@/debug')
-define( `API_PATH', `USER_RUN_DIR/apis')
+define( `PLATFORM_RUN_DIR', `@afm_platform_rundir@')
+
+define( `APP_DATA_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `/home/%i/app-data')')
+define( `APP_WORK_DIR', `ON_PERM(`:partner:scope-platform', `/tmp', `APP_DATA_DIR/{{:id}}')')
+define( `RUN_DIR', `ON_PERM(`:partner:scope-platform', `PLATFORM_RUN_DIR', `USER_RUN_DIR')')
+
+define( `API_PATH', `RUN_DIR/apis')
define( `API_PATH_WS', `API_PATH/ws')
define( `API_PATH_LINK', `API_PATH/link')
+
+define( `PLATFORM_API_PATH', `PLATFORM_RUN_DIR/apis')
+define( `PLATFORM_API_PATH_WS', `PLATFORM_API_PATH/ws')
+define( `PLATFORM_API_PATH_LINK', `PLATFORM_API_PATH/link')
+
+define( `USER_API_PATH', `USER_RUN_DIR/apis')
+define( `USER_API_PATH_WS', `USER_API_PATH/ws')
+define( `USER_API_PATH_LINK', `USER_API_PATH/link')
--------------------------------------------------------------------------------
-- AGL_DEVEL SPECIFIC PARTS
--------------------------------------------------------------------------------
@@ -65,3 +81,4 @@ define( `ON_AGL_DEVEL', `ifdef(`AGL_DEVEL', $1, $2)')
define( `ON_NOT_AGL_DEVEL', `ifdef(`AGL_DEVEL', $2, $1)')
define( `IF_AGL_DEVEL', `IF(ON_AGL_DEVEL(1,0))')
define( `IF_NOT_AGL_DEVEL', `IF(ON_AGL_DEVEL(0,1))')
+--------------------------------------------------------------------------------
diff --git a/conf/unit/provided-api-platform.inc b/conf/unit/provided-api-platform.inc
new file mode 100644
index 0000000..d169d9a
--- /dev/null
+++ b/conf/unit/provided-api-platform.inc
@@ -0,0 +1,85 @@
+dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E A P I (USER) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_API_BASE({{name}})@
+
+[Unit]
+Description=Provides api {{name}} for user %i
+X-AFM-API-TYPE={{value}}
+
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
+
+Requires=UNIT_NAME_API_BASE({{name}}).socket
+After=UNIT_NAME_API_BASE({{name}}).socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf PLATFORM_API_PATH_WS/{{name}} USER_API_PATH_WS/{{name}}
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E A P I (PLATFORM) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_API_BASE({{name}})
+
+[Unit]
+Description=Provides api {{name}} for platform
+X-AFM-API-TYPE={{value}}
+
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+
+Requires=UNIT_NAME_API_BASE({{name}}).socket
+After=UNIT_NAME_API_BASE({{name}}).socket
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S O C K E T O F T H E A P I (PLATFORM) ----
+;-------------------------------------------------------------------------------
+
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit socket UNIT_NAME_API_BASE({{name}})
+[Unit]
+Description=Provides websocket api {{name}} for platform
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+DefaultDependencies=no
+
+[Socket]
+SmackLabel=*
+SmackLabelIPIn=System
+SmackLabelIPOut=System
+ListenStream=PLATFORM_API_PATH_WS/{{name}}
+FileDescriptorName={{name}}
+Service=UNIT_NAME_BASE.service
+
+%end systemd-unit
diff --git a/conf/unit/provided-api.inc b/conf/unit/provided-api-user.inc
index bdee6c9..77478c8 100644
--- a/conf/unit/provided-api.inc
+++ b/conf/unit/provided-api-user.inc
@@ -46,11 +46,8 @@ DefaultDependencies=no
SmackLabel=*
SmackLabelIPIn=System
SmackLabelIPOut=System
-ListenStream=API_PATH_WS/{{name}}
+ListenStream=USER_API_PATH_WS/{{name}}
FileDescriptorName={{name}}
-Service=UNIT_NAME_SERVICE
+Service=UNIT_NAME_BASE@%i.service
%end systemd-unit
-
-
-
diff --git a/conf/unit/provided-binding-platform.inc b/conf/unit/provided-binding-platform.inc
new file mode 100644
index 0000000..375a636
--- /dev/null
+++ b/conf/unit/provided-binding-platform.inc
@@ -0,0 +1,48 @@
+dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E B I N D I N G (USER) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})@
+
+[Unit]
+Description=Provides binding {{name}} for user %i
+
+Requires=afm-user-setup@%i.service
+After=afm-user-setup@%i.service
+Requires=UNIT_NAME_BINDING_BASE({{name}}).service
+After=UNIT_NAME_BINDING_BASE({{name}}).service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf PLATFORM_API_PATH_LINK/{{name}} USER_API_PATH_LINK/{{name}}
+
+%end systemd-unit
+
+;-------------------------------------------------------------------------------
+;---- T H E S E R V I C E O F T H E B I N D I N G (PLATFORM) ----
+;-------------------------------------------------------------------------------
+%begin systemd-unit
+
+# auto generated by wgtpkg-unit for {{:id}} version {{:version}} target {{:#target}} of {{:idaver}}
+
+%systemd-unit system
+%systemd-unit service UNIT_NAME_BINDING_BASE({{name}})
+
+[Unit]
+Description=Provides binding {{name}} for platform
+
+Requires=afm-system-setup.service
+After=afm-system-setup.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} PLATFORM_API_PATH_LINK/{{name}}
+
+%end systemd-unit
diff --git a/conf/unit/provided-binding.inc b/conf/unit/provided-binding-user.inc
index 3737126..5a53735 100644
--- a/conf/unit/provided-binding.inc
+++ b/conf/unit/provided-binding-user.inc
@@ -18,8 +18,6 @@ After=afm-user-setup@%i.service
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} API_PATH_LINK/{{name}}
+ExecStart=/bin/ln -sf {{:#metadata.install-dir}}/{{value}} USER_API_PATH_LINK/{{name}}
%end systemd-unit
-
-
diff --git a/conf/unit/service.inc b/conf/unit/service.inc
index 88c1454..bebf25a 100644
--- a/conf/unit/service.inc
+++ b/conf/unit/service.inc
@@ -8,7 +8,11 @@ dnl vim: set filetype=sysctl.conf.m4 syntax=sysctl.conf.m4:
%nl
%systemd-unit system
+IF_PERM(:partner:scope-platform)
+%systemd-unit service UNIT_NAME_BASE
+ELSE
%systemd-unit service UNIT_NAME_BASE@
+ENDIF
[Unit]
Description={{description}}
@@ -29,12 +33,19 @@ X-AFM--target-name={{:#target}}
X-AFM--content={{content.src}}
X-AFM--type={{content.type}}
X-AFM--wgtdir={{:#metadata.install-dir}}
-X-AFM--workdir=APP_DATA_DIR/{{:id}}
+X-AFM--workdir=APP_WORK_DIR
X-AFM--visibility=ON_PERM(`:public:hidden', `hidden', `visible')
%nl
+IF_PERM(:partner:scope-platform)
+X-AFM--scope=platform
+After=afm-system-setup.service
+ELSE
+X-AFM--scope=user
Requires=afm-user-session@%i.target
After=user@%i.service
+ENDIF
+
After=Network.target
# Adds check to smack
@@ -44,56 +55,71 @@ ConditionSecurity=smack
# Automatic bound to required api
{{#required-binding}}
{{#value=extern}}
-BindsTo=UNIT_NAME_BINDING_SERVICE({{name}},%i)
-After=UNIT_NAME_BINDING_SERVICE({{name}},%i)
+BindsTo=UNIT_NAME_BINDING_SERVICE({{name}})
+After=UNIT_NAME_BINDING_SERVICE({{name}})
{{/value=extern}}
{{/required-binding}}
+
{{#required-api}}
{{#value=auto|ws}}
-BindsTo=UNIT_NAME_API_SERVICE({{name}},%i)
-After=UNIT_NAME_API_SERVICE({{name}},%i)
+BindsTo=UNIT_NAME_API_SERVICE({{name}})
+After=UNIT_NAME_API_SERVICE({{name}})
{{/value=auto|ws}}
{{/required-api}}
+
{{#provided-api}}
{{#value=ws|auto}}
-Requires=UNIT_NAME_API_SOCKET({{name}},%i)
-After=UNIT_NAME_API_SOCKET({{name}},%i)
+Requires=UNIT_NAME_API_SOCKET({{name}})
+After=UNIT_NAME_API_SOCKET({{name}})
{{/value=ws|auto}}
{{/provided-api}}
%nl
[Service]
+
EnvironmentFile=-@afm_confdir@/unit.env.d/*
EnvironmentFile=-@afm_confdir@/widget.env.d/{{:id}}/*
-SmackProcessLabel=User::App::{{:id}}
+SmackProcessLabel=SMACKLABEL
SuccessExitStatus=0 SIGKILL
-
+UMask=0077
+
+IF_PERM(:partner:scope-platform)
+#DynamicUser=true
+User=daemon
+Group=nobody
+Slice=platform.slice
+ELSE
User=%i
Slice=user-%i.slice
-
+WorkingDirectory=-APP_WORK_DIR
+ExecStartPre=/bin/mkdir -p APP_WORK_DIR
+Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus
+ENDIF
+IF_PERM(:system:capability:keep-all)
+CapabilityBoundingSet=~
+AmbientCapabilities=~
+ELSE
CapabilityBoundingSet=
-#AmbientCapabilities=
+ENDIF
ON_PERM(:platform:no-oom, OOMScoreAdjust=-500)
ON_PERM(:partner:real-time, IOSchedulingClass=realtime)
ON_PERM(:public:display, SupplementaryGroups=display)
-ON_PERM(:public:syscall:clock, , SystemCallFilter=~@clock)
+ON_PERM(:public:audio, SupplementaryGroups=audio)
+ON_NOT_PERM(:public:syscall:clock, SystemCallFilter=~@clock)
%nl
-WorkingDirectory=-APP_DATA_DIR/{{:id}}
-ExecStartPre=/bin/mkdir -p APP_DATA_DIR/{{:id}}
Environment=AFM_ID=TARGET
Environment=AFM_APP_INSTALL_DIR={{:#metadata.install-dir}}
-Environment=AFM_WORKDIR=APP_DATA_DIR/{{:id}}
+Environment=AFM_WORKDIR=APP_WORK_DIR
Environment=AFM_WSAPI_DIR=API_PATH_WS
Environment=PATH=/usr/sbin:/usr/bin:/sbin:/bin:{{:#metadata.install-dir}}/bin
Environment=LD_LIBRARY_PATH={{:#metadata.install-dir}}/lib
-Environment=XDG_DATA_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_CONFIG_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_CACHE_HOME=APP_DATA_DIR/{{:id}}
-Environment=XDG_RUNTIME_DIR=USER_RUN_DIR
-Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=USER_RUN_DIR/bus
+Environment=XDG_DATA_HOME=APP_WORK_DIR
+Environment=XDG_CONFIG_HOME=APP_WORK_DIR
+Environment=XDG_CACHE_HOME=APP_WORK_DIR
+Environment=XDG_RUNTIME_DIR=RUN_DIR
IF_AGL_DEVEL
; Needed to enable debug
@@ -124,9 +150,14 @@ IF_PERM(:system:run-by-default)
; auto start
;-------------------------------------------------------------------------------
[Install]
+IF_PERM(:partner:scope-platform)
+WantedBy=multi-user.target
+%systemd-unit wanted-by multi-user.target
+ELSE
WantedBy=afm-user-session@.target
%systemd-unit wanted-by afm-user-session@.target
ENDIF
+ENDIF
%end systemd-unit
diff --git a/docs/3-permissions.md b/docs/3-permissions.md
index 957478e..fa65c5d 100644
--- a/docs/3-permissions.md
+++ b/docs/3-permissions.md
@@ -90,7 +90,7 @@ attachment of value to permission.
## Example of permissions
Here is a list of some possible permissions.
-These permissions are available the 17th of March 2017.
+These permissions are available the 21th of May 2019.
- urn:AGL:permission::platform:no-oom
Set OOMScoreAdjust=-500 to keep the out-of-memory
@@ -117,6 +117,12 @@ These permissions are available the 17th of March 2017.
Forbids services to provide its API through D-Bus.
- urn:AGL:permission::system:run-by-default
Starts automatically the application. Example: home-screen.
+- urn:AGL:permission::partner:scope-platform
+ Install the service at the scope of the platform.
+- urn:AGL:permission::system:capability:keep-all
+ Keep all capabilities for the service. Note that implementing
+ that permission is not mandatory or can be adapted for the given
+ system.
- <http://tizen.org/privilege/internal/dbus>
Permission to use D-Bus.